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ABSTRACT OF TW my!LOSURE; 

A method and an apparatus provide a uso- the capability of a single 
registration process or point of contact for registration \^ch nonetheless enables the 
user to be authenticated to two or more independrat service providers. A network 
architecture assumes the responsibility of functionality common to a plurality of 

S ser^ce providers where such functionality includes sovice registration, 

authentication for a service, encryption for the communications wift the service, 
monitoring of usage of the service and billing for such usage. This reduces the cost 
and complexity for the user and server end points of the netwoik allowing a more 
diverse group of s^ice providers to ofiTer ever inqnroving services without need for 

1 0 investing in processing structure that can be better incorporated within the network 
and shared amongst a plurality of providers. 
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METHOD AND APPARATUS FOR PROVIDING 
A PROCESS FOR REGISTERING WITH A PLURALITY 
OF INDEPENDENT SERVICES 

Cross Reference to Related Applicaticms 

This application claims priority to provisicmal ^>plication 60/105,195 
entitled "METHOD AND APPARATUS FOR PROVIDING A PROCESS FOR 
REGISTERING WITH A PLURALITY OF INDEPENDENT SERVICES" filed on 

S October 22, 1998, the contents of i>^ch are incorporated herein by reference. The 
present s^lication is related to provisional an>lications 60/105,189 entitled 
"METHOD AND APPARATUS FOR PROVIDING A PROCESS FOR 
REGISTERING WITH A PLURALITY OF INDEPENDENT SERVICES" filed on 
October 22, 1998, and provisional plication 60/105,196 ENTITLED "A 

10 METHOD AND APPARATUS FOR ENHANCING NETWORK USAGE" filed on 
October 22, 1998. 

Field of the Invention 

The present invention is directed to a method and apparatus for proving 
IS network communications betweoi users and service providers. More particularly, 
the present invention is directed to a method and ^paratus by y/hich auser can 
register wiUi a networic in a single registration process and become r^stered to a 
plurality of services provided by independent service providers. 



20 



Backgrotmd of the Invention 

In the past decade there has been an ever increasing use of communication 
netwoilcs to transfer information between users of network resources. Wireline 
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telephone netwoiks have given way to wireless communications. Voice 
communications have given way to data communications. Data conmiunications via 
groups of computer networics, such as the Internet, utilizing a conunonly acceptable 
protocol permit communication capabilities unheard of in years gone by. Electronic 
mail has become conunon place. Furthermore, it has become easier and easier to 
communicate complex audio and video information via such computer netwoxks. 

A block diagram representation of a well known network configuration is 
illustrated in FIG. 1 . In this well known configuration a network 100 includes a 
number of communication switdies 101 to 104. The network represented by the 
cloud 100 provides points of ingress and egress for communications between users 
of tiie network. Included in the category of users are those service provides which 
seek to provide information or services to othar users. For example, in an Internet 
environment various service providers may support different sites having different 
types of information. One site may have information regarding books, e.g., 
amazon.com, anothor might have information about news, e.g., cnn.com, etc. The 
service providers may have differing levels of sophistication in terms of the types of 
information tiiat they market Additionally, various service providers may have 
differing levels of needs with regard to authenticating users of the service and 
monitoring usage of the sovice for either billing or other informational purposes. 

In today's Intanet protocol (IP)-based networks there is eflBcient packet 
delivery that uses only the Domam Name Service (DNS) and routing for an m- 
network service. All the ridmess and divCTsity of services and plications is 
completely encapsulated in the cliait (user) and server end points. In some respects 
thOT the network is utilized simply as a transport mechanism with intelligence being 
pushed out to the outer limits of the network, that is, to the terminal points of the 
network \n1iere the users and SCTvice providers reside. There are significant costs 
associated with this arrangemoit, however, as more and more complex and 
sophisticated capabilities must be provided at the end points for each individual 
client or sCTver. For exanq)le, in the client servo- configuration illustrated in FIG. 1 
each individual server that wishes to keep track of its users and possibly limit access 
to only those who have properly registered with Ae service mxtsX have their own 
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sq)arate capabilities for registering uscts and monitoring usage. Each saver also 
should have then separate capabilities for authenticating previously registered users. 
Also, when appropriate the server should be able to effect billing. This complexity 
and cost can result in limiting the development of new services as fewer and fewer 
S potential service providers are able to afford that which is necessary td perform even 
the most basic functionality need to track users. 

It would be beneficial if an arrangement coidd be provided in i^di network 
end points would retain some intelligence to enable specific services wfaidi coiild 
become more and more sophisticated while a central resource could be shared by 
10 various ones of the service providers to perform common user tracking tasks that 
play roles in servicing using requests. 

Summary of the Invention 

The present invention provides a method and {qiparatus by which certain of 

IS the common user tracking fimctionality is off-loaded fix>m the us^/server network 
end points and is instead incorporated in tfie network architecture. As a 
consequence, the network assumes responsibility for such common user tracking 
fimctions as registration, authentication, user usage, and billing. In tfiis arrangement 
a user who desires to register wttti services fit>m two or more independent service 

20 providers can do so witfi a single registration operation involving core network 
fimctionality. The network operates as the receiving point for all iiser registrations 
and service registrations. The network can then maintain account records winch 
represent access privilege information. This information defines the relation^ps 
between users and services with which they are registered. Once the user is 

25 registered with a number of services, if the user flien at some later time requests 

network authentication and becomes active in the network, then the access privileges 
defined by the accoimts information defines those services that the user will be 
allowed to access. Furthermore, all of the registration information can be made 
available in varying degrees of specificity to users and service providers alike. For 

30 example, users may be able to find out information about service providers and 

services that they render as registered with the network. Similariy, service providers 
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may be able to find out some set of infonnatioii, limited by privacy concerns, 
regarding users or potential users of the provider's service. 

The present invention provides this single registration capability in the 
context of a network employing a secure boundary with a plurality of acc^s points 
5 or gates at which user registration and authentication are initiated. Core information 
maintained within the secured boundary is utilized to define user and service access 
privileges. Other features of die network will be described below. 

Brief Descrit ^tion of the Drawings 
10 FIG. 1 shows a block diagram representation of a prior art network 

architecture. 

FIG. 2 shows a block diagram representation of a network architecture in 
accordance with an embodiment of the present invention. 

FIG. 3 shows a block diagram of anothCT version of the network architecture 
IS in accordance with an embodiment of the present invention. 

FIG. 4 ^ows in block diagram form, examples of elements of a portion of 
the network architecture of FIG. 2. 

FIG. 5 shows a schematic rqnresentation of an example of a multiple network 
configuration in accordance with an embodiment of the present invention. 
20 FIG. 6 shows a schematic diagram of a logical control architecture for a 

network in accordance with an embodiment of tiie present invention. 

FIG. 7 illustrates in block diagram form one aspect of an active register 
component of a network architecture in accordance with the raibodiment of FIG. 2. 
FIG. 8 illustrates a block diagram representation of a portion of a gate 
25 component of the nctworic architecture of FIG. 2. 

FIG. 9 provides a flow chart representation of a process for user access to a 
network service in accordance with an embodiment of the present invention. 

FIG. 10 provides a block diagram representation of architecture components 
for implementing a usage and billing function in accordance with an embodunent of 
30 die present invention. 

FIG. 1 1 provides a block diagram representation of the architecture of a peer 
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inter&ce in accordance with an embodimoit of the present invention. 

FIG. 12 illustrates in block diagram form software components of the pear 
interfiaceofFIG.il. 

FIGS. 13 to IS provide flow charts for describing communication processing 
S in the peer interface of FIG. 1 1. 

FIGS. 16 and 17 provide block diagrams of network architecture components 
for enabling racryption to and from network access points such as tiie gates of FIG. 
2. 

FIG. 1 8 illustrates in block diagram form an embodiment of a gate 
1 0 employable in the architecture of FIG. 2. 

FIG. 19 ilhistrates in block diagram form a network architecture diat employs 
a plurality of gates of the type ilhistrated in FIG. 18. 

FIGS. 20 and 21 illustrate in block diagram form data communication 
arrangements available using the network architecture of FIG. 19. 

15 

Detailed Description 
Overview 

FIG. 2 illustrates an example of a network m accordance with an 
20 CTibodiment of the present inventioiL In this arrangement network elements irKlude 
a plurality of gates 201 through 206. a core, 207, a store, 208, a hop, 209, client 
peers 212 and 214, and a service pew, 216. The client pears represent those user or 
client entities that plan to interftce with the network. The tmos user and client will 
be used interchangeably throughout this document The service peers represent 
25 those service provider entities that plan to intCT&ce with the network. Each of the 
peers is modified to include inter&ce to the network. This interface can be 
constituted by software designed to run on ttie client or service provider computer 
equipment whereby the software interacts with int^rfiice sofhvare residing in the 
network gate elements. In accordance with the present invention the plurality of 
30 gates 201 to 206 form a secure boundary for the network such that only authorized 
clients and service providers can gain access into the network via their interaction 
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with a given gate at the boundary of the netwoik. The store element 208 and the 
core elements 207 are considered part of the network capabilities and extennal peers 
such as clients and service providers are not permitted direct access to the stores and 
core elements. 

5 The present invention incorporates certain functionality in the core and store 

elements such that functions that were provided by die service providers in the prior 
art configuration of FIG. 1 are now incorporated into Ae fabric of the netwoik itself. 

As an example of one fimction vAddlk might be incorporated within the 
network, the core can receive information firom a gate with ^om a client peer is in 

10 communication so as to receive user identification information. The core can then 
detennine M^iether or not that user has already registered witii the network. Ifthe 
user has not previously registered with the network then the core and gate together 
can initiate a registration process by which the user registers widi the network. At 
the time of registration the user can be provided witfi various options for subscribing 

15 to services that are presently available through the network. The various services 
can be provided by independent service providers. That is, the network can provide 
an opportunity for a single user to subscribe to or register with a plurality of services 
ofifered by different and independent service providers who are also at various end 
points of the network. All of this registration information can be compiled in 

20 account records or files in die core. When a user subsequently logs onto the network 
then seeks authentication and becomes an active user of the network, the network 
can then control the user's access privileges utilizing the account record information 
available in the core. For example, if the user has previously subscribed to service 
"A" but has not subscribed to service "B" then the network at the time of 

25 authentication can generate access privileges which permit the user to access service 
"A** while denying access to service "B" 

In addition to die notion of maintaining access privileges for users and 
services the core and store elements of the present invention provide for centralized 
monitoring of a user's usage of the diffi^rent services registered with the network. 

30 Pointing again to an example, assume that the user is registered with the network 
and has subscribed to services "A" and "B". As the user avails themselves of the 
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respective sovices, the netwoik, rather tiian the sovices themselves, can monitor 
sudi usage and can even generate billing records should billing be an issue with 
respect to any <me of these services. 

The architecture ©f the present invention thaefore provides a network in 

5 vAich Aere is a secure boundary which allov»rs for secure transmissions within tiie 
netwoik itself while the netwoik incorporates certain fimctionality whidi would 
otherwise be common to a plurality of end usere or service providers to reduce the 
need for comploi processing at the end points of the network. The end points need 
not individually incorporate functionality whidi might be better diared between a 

10 plurality of service providers even if those service providers are independent of one 

another. 

The following subsections of this detailed description will provide more 
information with regard to the architecture of this network and the specific elements 
w^idi make up tfiat architecture. 

15 

T7,..yj«hvoTk Architecture 

As described above in relationship to Ae sdionatic diagram of FIG. 2, Ae 
network ardiitecture of the present invmtion utilizes five categories of hardware 

related components referred to as the core, gates, hops, pears and stores. 

20 The remaindCT of this section vail provide a Iwief description of eadi of tiiese 

hardware components, fteir interrelationship witii one anotha and how Aey are 
generally configured to establish the desired netwoik architecture. 

A core such as that shown as element 207 in HG. 2 is the information kernel 
and heart of the network architecture. It maintains the business logic described as a 

25 rich web of relationships among logical entities that use the netwoik for example, 
users, accounts, and services. Conceptually, the core forms an abstract layer that 
models the services via a set of objects and a well-defined set of relationships 
between those objects. The core contains information regarding user accounts and 
available services to support user authentication and access control. The 

30 authentication information cOTitainscryptogr^hic data that netwoik securiQr needs 

to authenticate a user's identity and to establish and maintain a session's security for 
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the duration of a user's connection to the network via a gate. 

The gates, (201 to 206) represrat the work horses of the architecture. They 
provide scalability, create a security perimeter, and enable protocol mediation. 
Gates implement a variety of security and service functions. These include access 

5 control supported by a dynamic firewall protection tightly coupled with tiie 
registration and authentication system, data proxies for various protocols such as 
Web content caching, and usage record generation for Peers. All traffic between the 
peers and tfie network flows through the gates. 

Each gate contafais two or more network interface cards, (NIQ. One 

10 connects die gate to the private secure network using a packet filter as a switch and 
the other NIC connects the gate to the external unsecured network. Peers, stores, 
hops and other networks are on the external side of agate and the otha: gates and die 
core are on the internal side. 

Each peer (212, 214, and 216) utilizes its respective gate as an access into the 

15 network. The gate perforins computing and adniiiiistrative fimctioiis. The single 
gate supports access control, usage recording, peer control, and protocol mediation 
for its cluster of authenticated peers. A sample of a block diagram of a gate is 
ilhistrated in FIG. 4 which provides more details with regard to CCTtain elcmoits 
shown in FIG. 2. As can be seen, a single gate includes a packet filter 401 , an 

20 Access Daemon, a Control Daemon 403, a Usage Daemon 402, a Data Daemon 403, 
a subsystem monitor 404 and a Unix Management Agent (MA) 405. Wifliin the gate 
the access control consists of the padcet filter and the Access Daemon that 
manipulates the access rules in the packet filter. Pear control is siq>ported by a 
multi-direaded Control Damon that spawns a separate thread fiar audioiticated pcCT. 

25 Usage recording consists of the Usage Daemon that generates and locally saves the 
records and the usage proxy that forms the extended interface to the Usage Daemon. 
The Data Daemon runs separate threads for various proxies for protocols, such as 
HTTP, FTP, POP3, SMTP, Goffer, LDAP. H.323 and Tetact. Specialized proxies 
add additional support for functions like registration. The Daemons running on the 

30 gate support a centralized log-in, event notification, monitoring, and management 
inter&ces. 
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Hops are the transfer points to other networks such as the Internet, the 
telephone switch network, or other enterprise netwoiks. Hops also conv^ the IP 
traffic fix)m the network gate to whatever is on the other side, such as Net Ware or 
PSTN. For telq)hony support, a hop consists of a H323 gateway to the PSTN. 

The network mables end*point devices in the positions that clients and 
servers normally occupy. These mclude personal computers (PCs), work stations, 
PBAs, set top boxes, telephones, cellular phones, or digital pagers. A peer can be 
any device that can be assigned an IP address and ttiat inq)lements the control 
channel protocol of the present invention. A peer can s^e as bodi the client for end 
user qyplications and die server for services being ofifo^ to the network. 

The software is referred to as the peer inter&ce software cables these end- 
point devices to access the networic via one of the gates. Peer device, in general, 
refers to an enabled end-point device, be it a Windows 9S/NT client PC, a UNIX 
server, a Java station, a NC-dedicated terminal, or a Web Phone consumer device. 
In this context the peer devices are characterized as programmable with Java having 
an IP address and can communicate with an IP-based network. Devices that do hot 
fell into diis charactmzation can still be connected to the network given that there is 
a peer that can commxmicate with die devices. 

The peer can be implemented with a set of Java classes. The use of Java 
satisfies a number of the functional and design requirements pertaining to 
robustness, easy ext^ibilily, allowing incrraiental software iqxlates, and allowing 
it to be embedded into dedicated machines. The peer software contains a firamework 
for interacting with a network cloud. A cloud constitutes an authentication trust and 
centralizes authentication, access control and security for one or more domains.. It is 
composed ofSitesdiattogedier define the security domain. A site is the basic 
integration unit composed of some combination of gate, hop, store and core 
machines. Its definition is based on the existence of a secure network over whidi 
the gate and core machines are cormected. This networic can be either a private 
secure network or virtual private network over an unsecured network such as the 
Internet It may or inay not have a core for adniinistrating a dorxiain. The site 
centralizes functions like network management, network control, performance traffic 
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monitoring, bandwidth allocation, broadcasting, and multi*casting. Sites can be 
connected in order to provide the same functionality among larg^ nimibers of 
dislocated machines. Communication bctwera sites must be over a dedicated 
connection or if the sites are connected over an unprotected network, thra the 
n^ork level encryption of the link must be established 

With clouds it is possible to establish a partnership relationshq[>, set up 
oiitsourcing, establish platform frandiise or sell services. A cloud may have more 
than one core thus defining more than one domain. Eadi donuun may be specified 
by a different domam ID and have its own registration and account repository. Users 
and services access the domain through any gate on tfie cloud thus logically sharing 
resources. 

Returning to the notion of a peer, it can be executed in one of two ways, 
depending on the applications using it For example, a Java virtual machine, (JVM), 
can be started and the main method of the peer class invoked. Alternatively, an 
instance of the peer class can be started from within an already-running JVM. 

Applications that make use of the peer &11 into two architectural categories. 
In the first, an iqpplication can be written in Java and run in the same JVM as the 
peCT. This is the most natural mechanism for new applications and, in fin:!, may be 
the only possibility in certain enviromnents, such as for embedded devices. 
Alternatively, an iq^jplication can be written in a difierent language and conmiunicate 
with the peer API using a socket-based protocol. A variation of the scheme would 
be possible in cases where a language an invoke Java methods directly (for exanq>le. 
Code can invoke Java using JDKl .1). 

Given that some explications run outside the JVM contaming the peer 
support and that it may be necessary to externally inter&ce with the peer, an external 
intCT&ce called peer intCTfece is provided. This interface accepts local coimections 
and executes a limited number of commands using a simple protocol. A command- 
line inter&ce utility called "pido** makes it easy to use this interface. 

The peer also runs a mini HTTP server that lets browsers trigger actions in 
the peer. It is extensible by allowing developers to create new Java applications and 
registerthem with the peer in a way that associates a URN with the plication. The 
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browser can thai invoke tfie s^lication with arbitrary arguments. The convention 
for extending mini-HTTP server with new CGI-like functions is currently not based 
on Java s^eletts, but since serveletts are becoming ubiquitous and standard, usmg 
them will be a natural evolution of this design. Further details regarding the peer 
architecture will be provided below with regard to a description of FIGS. 11 to 17. 

Returning to tiie notion of network clouds, although multi-domain clouds can 
provide logical sq)aration and management of users and services, mult^le clouds 
can be interconnected to ofiTer a compltte separation of domains. Clouds have to 
register wiA each other, much like services to allow trafBc to flow between them. 
Once several clouds recognize each otiio:, their users may be allowed to roam away 
from their home cloud. Roaming between clouds is the ability of a member of a 
given cloud to access the home cloud indirectly through other clouds. In the 
netwoik of the present invention, roaming is supported by medianisms that require a 
cloud providing roaming for members of other clouds to tunnel through to their 
other clouds. An example of this is illustrated in FIG. S. In this example a peer 501 
mter&ces witii a first cloud SOS in an attempt to gain access to its home cloud 510. 
In so doing, cloud 505 creates an encrypted tunnel 508 that cuts across ftaX cloud 
and provides access to a gate on home cloud 510. Access control for the user is then 
performed at their home cloud. In tiiis way» other clouds, sudi as 505, need not be 
relied upon to implement the user's access control, nor are they provided with any of 
the user's private information. 

One netwoik element that has not been touched vpon as yet is the store. Hie 
store is a peer that mq)lements services relating to maintenance, provisioning, and 
daily use of the cloud. This includes directories for white and yellow pages, 
customer care, recoit usage records, download server, electronic mail, voice mail 
and paging messaging. In this regard there are also related databases such as 
customer contact and tracking, archival usage records, billing histories and historical 
netwoik logs. 

One additional feature regarding die network sites as described above is that 
each site matptqiTiy two domain name service servers. One is for the internal 
networic and one is for the external network. The internal DNS is the slave to Ae 
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external DNS which is needed for resolving hosts names on the external netwcnk 
when requested from the mside. Typically, the external DNS rims on the gate that is 
connected to the Internet or the wide area network. The internal DNS typically runs 
on one of tiie core machines. 

S The network of the present invention has a physical architecture and a logical 

ardiitecture. The physical architecture desCTibes the interworkings of die computer 
and networking hardware and their coimectivity. The logical architecture defines the 
relationship of the various components as they may be viewed by a customer. These 
relationships can be set to oeate various registration, security, access and 

10 auttientication rules. The logical arrangement can be defined to meet specific 
business needs and environments. In this context Ae network logical ardutecture 
forms an entity called a cloud that can be constituted by one or more sites. 

Having described tfie various components of the network architecture 
attention is drawn to FIG. 3 vMdti Ulustrates another potential arrangement of 

1 5 netwoik components to effect the goals of the present invention. Here a network site 
301 includes a plurality of gates 305, 306, 307, 308, two core machines 312 and 314, 
a store 316 and a hop 318. These elements then provide access to external elements. 
For example, gate 306 is connected to peer 320 while hop 3 1 8 is cormected to peer 
325. Furthermore, gate 305 provides access to other networks. Similariy, tiie Site 

20 301 can be coi^led to another Site whidi includes two gates 330 and 335, a core 337 
and a store 340. Information can then be exchanged between these n^ork Sites. 
Alternatively, individual sites can operate in relationship to the peers connected 
thereto. 

25 Platform Man agement and Monitoring 

The netwoik software components are managed and monitored by a 

distributed hierarchical system of monitors, sub-monitors and management agents. 

This is called the network managemmt and monitoring system (NMMS). The 

networking and hardware components are managed using an SNMP-based third 
30 party Enterprise Management System. The combined use of these two systems 

provides a conqmhensive management and monitoring cspdbHity for tiie network. 
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The NMMS can be a tfaree-layer hierarchy consisting of a system monitor 
(SNf) running on one of the core machines, a single subsystem monitor (SSM) 
running on each madiine to be managed, and a Management Agent linked into every 
Daemon to be controlled. This hierarchy is sho^ in FIG. 6. The SM and SSM 

5 processes are started (and restarted) autonfiatically buy a Unix Init mechanism. Upon 
starting, die SM and SSMs process broadcasting an announcement of its presence to 
locate each other. The SSM are responsible for monitoring the health and starting 
die various local Daemons under then* control. The managment agent inter&ce is 
designed to run even ifits SSM decipher is not present The NNMS can be brougjit 

10 or taken down in its entirety without affecting the operation of die iietwor^ 
system. 

The system monitor is the nerve center of the system. It directly controls and 
communicates with the subsystem monitors. The subsystem monitors are the local 
control monitors. These system monitors and subsystem monitors are illustrated in 

1 S FIG. 4 in die gates which include the subsystem monitor and the core whidi includes 
die system monitor. The subsystem monitors chaimel events between the system 
monitor and the Daemons and monitor the health of die Daemons. The system 
monitor also esqxises a CGI-based coimector for communicating with a browser- 
based administrator inter&ce and a command line inter&ce (SMCLI) also shown in 

20 FIG. 4. The browser downloads Java applets from a web server runniiig on a core 
machine. These Java applets interface with the CGI into&ce m the syston monitor. 
NMMS is registered as a private service. Administrators audienticate from any peer 
just as any users, establish an encryptic coimection and use die browser to access 
NMMS. 

25 The SM, SMMs, and MA-enabled Daemons form a communicati(m network 

for delivering commands from administrators' interfoces, and returning reqxmses 
from die controlled Daemons. However, not all Daemons can be extended with a 
MAtntofrice. As such. Daemons can be controlled in one of two ways; either 
direcdy through a linked MA library or external^ through an UnixMA process 

30 which contains the MA library. Typically, there is one UnixMA process associated 
with each SSM. Using UnixMA, the administrator can dieck process status, read 
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data files, or do most anything that coiild be done sitting at the machine's console. 
UnixMAs are also responsible fOT polling. Wha SM starts, it starts a Poll Keeper 
460 (see FIG. 4). The Poll Keeper reads the configuration of the system and starts a 
poller in tiie appropriate UnixMA process for each compcment or function to be 
S polled 

Each component comes standard with five command-line scripts. These can 
be used manually by an administrator when logged into Ae machine. These 
commands are: 

start_component Starts the component 
10 stopjcomponent. Shuts down and stops die componoit 

describe^component. Prints out a full description of the component 
including its version number and indication of its installation status. 

status^component. A short version of die fidl description provided by the 
smpt describejcomponent 
IS ninnuig_component. Prints out the conqxments running status. 

However, die benefits of management and monitoring lie in the direct use of 
MA capabilities. MAs can control die logging level of dieir components, obtain 
CPU usage, memory usage, file desoiptor usage, start, stop and reinitialize 
components, obtain the version numbers and goierate alerts. MA-enabled 
20 components can also register new commands that can be invoked by the 
administrator to provide customized control of internal functions. 

NMMS maintains the desaription of the mtire system. This infonnation 
comes partly preconfigured and is pardy collected during an interrogation step prior 
to installatiorL The network architecture can be perceived as a collection of 
25 resources (objects) which communicate widi each other, share properties, can be 
created and destroyed. Each resource has associated with it a description, given as a 
collection of attributes. The objects describing the resources are maintained by a 
component called SysReg (as shown in FIG. 4). SysReg consists of a database of 
nameAralue pairs and a front-end server that accesses the database. Siqyporting 
30 application program interfiu:es (APIs), for accessing the server, may be provided in 
several programming languages. 



CA 02287094 2000-01-19 



15 

Network components that are installed, configured, and managed by NMMS 
are inq>lemented on top of three support libraries. Log, Ma, and MACON. 

Log is a C API that tnehtdea assert-type nKOos, trace macro^ and C 
fonctions. A Daemon generates log file entries by using assert and trace macros. 
S Whether log file entries are generated depends on either compile time or run-time 
parameters. At run time, three parameters control the logging and tracing levels. 
These can be set to one of the values none, erfor, waniuig» notice^ info, or debug. 

assertLevel controls the level of assert macros. In addition, alertLevel 
determines if the maot) generates an alert 
10 logLevel controls the level of log macros. Hoe, also, tracealertLevel 

determines if the maopo generates an alert 

traceLevel controls die trace level. 

One additional parameter, panicThresbold, specifies the number of entries 

after v^ch message generation should stop. This is a safety valve in case logging is 
IS left cm unattended. Initial values of ttie Log library parameters can be specified 

through environment variables. They can then be obtained and modified at run time 

througih C fimction APIs. 

MA library provides an inter&ce between network Daemons and NMMS. 

Simply by linking with MA, a Daemon enables the monitoring system to access its 
20 internals. MA library provide a number of built-in commands. In addition, every 

Daemon can define and export to NMMS any command relevant to its monitoring 

and management functions ttrnt will make use of the monitoring conmiands e?q;>orted 

by Daemons. 

MACON (Management Agent CONsole) is a program provided to the 
25 Daemon developers for interactive invocation of the MA commands in tiieir 

Daemons during development It plays the role of a SSM (Subsystem Monitor) in a 
deployed system. The developer using MACON plays the role of a SM (System 
Monitor). 



30 Network Com ponent Functionalitv 

The network of the present invention provides certain functionality 
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including, but not limited to, membership control, tracking registered usors and 
services, access control and usage recording. This subsection will describe various 
features of these functions. 

A membership subsystem provides support for registering users, services and 
other clouds. The subsystem also supports profile updates and information retrieval 
regarding such iiser services and clouds. Registration information is kept in an 
account hioaichy ^t can consist of accounts as the internal nodes of the hierarchy 
with users, services and clouds as the leaves of the hierardiy. The relationship 
between the parent and siblings in the hierarchy dictates access ri^ts and privileges. 

An account in this membership subsystem can be considered a collection of 
usos vdib belong to the account and diose sauces that own the account Eadi 
account may have the following fields and attributes: 

1. identity— each account has an identity, (that is, it has a registered name and an 
id number); 

2. parent account— all accounts, except the root have parent accoimts; 

3. list of users-list of users who belong to this account; 

4. administrators-some users are designated to be account administrators, they 
can create (add) users to the account and create subaccounts; 

5. list of services— list of services that are owned by the account, the SCTvices 
can be stopped and started by the account administrator; 

6. list of subaccounts-list of children accounts; 

7. list of privileges— set of services that may be accessed by the accoimt users. 
A user is a person whose identity is known to the cloud and can be 

authenticated by the cloud. Eadi user has the following fields: 

1. identity— each user has an identity (that is, it has a registered name and an ID 
number); 

2. membership-each user belongs to one account; and 

3. role-account administrator or regular user. 

Any registered service running on a peer whose identity, location, and access 
mettiod are known to the network are included as a service in one or more accoimts. 
A service has the following fields: 
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1. idmtity— each service has an identity (eadi service has a registered name and 
an id number); 

2. ownership- each sehice is owned by an account, it can be started and 
stopped by the account administrator; 

3. suq;}port service- a service can rely on other s^ces; and 

4. subsCTiption list-for eadi service there is a list of xisexs ^Aio may access it, at 
an abstract level of soirices at the minimimi just a set (groiq>) of users. 

In order to avoid recording privileges for all services, and in order to simplify 
evaluation of privilege and access rules, die notions of public and private services 
may be introduced. Public services are those that can be accessed by any user, 
unless the user is explicitiyblodcedfiom accessing the service. Private services are 
those services that cannot be accessed sinq;>ly by any user, but instead require tiiat 
the user be explicitly granted access. To access a private service, a user must first 
subscribe to that service. Private services can be of two types or two subscription 
policy types, a public subscription or private subscription. In a piiblic subscription 
policy any user is permitted to subscribe to a service. In a private subscription 
policy limitations are placed on die user before tiiey are allowed to subscribe to the 
service. For example, certain additional requirements may be set befine the vser is 
permitted to subscribe to the service. 

The distinction between die public service and the private service diat has a 
public subscription policy is that the user must subscribe to a private service before 
they are allowed to access it This is an important difference as the act of 
subscribing to a s^vice can cause a usage record to be generated as will be described 
below and diat event has the potential to be transformed into a bill to the user. 

Private services with private subsmption policies [rovide even tighter 
control over who may subscribe to the service. These subsCTiption policies are 
in^lmiented by associating a subscription s^ce witii the private soidce. A 
subscription service provides a mechanism to screen users prior to subscription. An 
API is provided whereby the subscription service can permit or deny users fixmi 
subscribing to the private service. By running a subscription service a service 
operator can enforce any arbitrary policy over what users can subscribe to their 
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service. 

Only private services witti private subscription policies need subsCTiption 
smfices. Services with public subscription policies allow all users to subscribe and 
therefore do not have subscription services associated with them. In either way, 
these subscription services can be implemented within the network of the present 
invention, that is they can be considered functionality that is absorbed within the 
architecture of the network removing it from the service end points vfhere it would 
otherwise reside in prior network configurations. This would involve keeping track 
of the characteristics of tfiose services which are registmd with the network and 
implemoiting sid>scription APIs widiin the network to solicit information from a 
user (for example, user identification information and billing information) to set up 
the subscription. The netwmk could then keep track of the subscrqption and report 
subscription results including billing information and other vser profile infrnrmation 
to a given service. 

In addition, the network of the present mvention may provide an automated 
approval system whereby the user is given approval by its parent accoimt to 
subscribe to the service. Since the ^yproval services and the subscription services 
can be operated as APIs with individual functionality recited fcHr those services, it is 
not necessary to substantially affect die operation of the core to implement arbitrary 
subscription policies. Nonetheless, the network configuration permits the mdividual 
services, having described specific subscription policies, to perform subscription and 
approval operations without need for maintaining complex equipment at the server 
end point. 

The network architecture of the present invention also provides a tedmique 
for maintaining information about those users and services which are active widi 
regard to the network. In that regard, an active registry such as tiiat shown in FIG. 7 
is a componrat of the network core. This active registry (AR) 701 serves as a 
maintainer and supplier of information about all currently authenticated users and 
services. Thus, AR can be thought of as a dynamic directory or an Internet Locator. 
As user and services log-in (authenticate), information about diem and their current 
location is added to the registry. This information is supplied on demand to other 
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componeiits, such as for access control decisions. The infixmation is also sent to Ae 
White Pages over an LPAP intor&ce. This allows a more detailed search by people 
to locate active users and s^vices. For currently autfiehticated users, (also refened 
to as active users), the registry contains: a user identifier; a user handle; an IP 
address of the peer 6om which the user is currently logged in; and the home proxy 
of the user (that is, the gate to which the peer is directly connected). Active User 
Registry (AUR) 702, For currently authenticated savices, the active registry 
contains: a service identifier, an IP address of the service pe^ hosting Ae service; an 
IP port of ihc service; and an IP protocol used by die service. Active Service 
R^stry (ASR) 703. The information in the AUR 702 is used to implemmt Caller 
ID and intocloud decisions. It is also available to client peers fen* services sudi as 
telephony and collaboration. The AUR 702 runs within the AR 701 as a thread that 
listens on port 2221 for requests from control Daemons 720 of a gate 730. Likewise, 
ASR 703 listens on port 2223. The protocol used to communicate witfa^e AUR 
and ASR is based on the HTTP\1 .0 GET method. This protocol is hidden behmd flie 
qyplication program inter&ces. Two diff^ent inter&ces implement the protocol to 
communicate widi the AUR and ASR. Each exposes a subset of&e functionality of 
the AR that is needed by the target audience of the API. From pear q>plications, 
AUR can be queried for the IP address of an active user. The control Daemon 
communicates with the AUR to add a user, such as peer 760 on logon, remove users 
at logoff and query for active users based on an IP-address arui user handle. The 
same is true for the ASR. A program could be sqjpliedwitfitiie AUR to help with 
die administration. Such a program could provide the options to: dump all entries in 
the AR; search for an entry in die ARby either die IP address or by uso* or service 
handles; delete an entry from die AR; or add an entry to the AR. 

As a result of this component of the core the system provides the c^ability 
for maintaining iq)dated information identifying those users and services registered 
widi the network, that is active on the network, and dieir respective locations with 
regard to die network (such as an IP address and information about the gate to which 
it is coimected). 

The network also has an access control system diat allows or restricts access 
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between users, services and othor networks. This ties in with the membership 
control system in that account infomuition or records ^ch are created as users and 
sovices register and subscribe in connections to tf&e netwoifc are used to impose 
control restrictions during access attempts by the users or services. The access 
control system provides mechanisms that allow data proxies to impose access 
control restriction by mediating protocols used to corrmiunicate between users and 
services. Access control is enforced collectively in a gate in the packet filter, the 
Access Control Daemon and the Data DaemorL An example of elements contained 
within the gate which effect this access control are illustrated in FIG. 8. It should be 
understood that all of tfie elements of the gate are not ilhistrated (for example 
refaence to FIG. 4 indicates that additional elemcaits may be contained in the gates), 
but the elements illustrated in FIG. 8 are instrumental in providing access control. 

In accordance with the control mechanism traffic is only allowed to flow 
through the network if it passes the access control test The smallest granularity diat 
is provided by the access control is that of a single user or a single service. Asan 
example, a particular user can be prevented from accessing a specific page on a 
particular web site. This could be handled on a protocol by protocol basis in the data 
proxies 805. 

In some cases access control needs to be enforced upon users and services 
that are not running on peers. A news feed is an example vdiere this is necessary. 
To accompli^ this &ese users and services are registered using the standard 
registration procedure. Instead of autfaoiticating them by running peer software they 
are preautfaoiticated ^en tiie core netwodc starts. The active user registry can tiien 
be prepopulated from the pre-authenticated user list The active service registry is 
prqKypulated from the preautfaenticated service list. From the perq)ective of the 
access control subsystem they are treated the same as any other user or service. 
During registration services can also be designated as accessible by guests. $ucfa 
designated services allow guests (non-authenticated) users to access the service. 

Initial access control data is generated at user registration time. The users are 
presoited with a list of private services to which they may subscribe. The 
subscription operation is described above with regard to tfie membership subsystem. 
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It ^ould be noted that users can also subscribe to services o&er registration. For 
example, a registration iqKlate procedure could be provided whereby a us«r, upon 
auAoitication is given the option of subscribing to an additional service or services. 
Alternatively, the registration system could require that an authenticated user take 
5 some proactive step to contact a subscription service such as described above. 

Returning to the notion of how the access control is eflSscted, the padcet filter 
801 in FIG- 8 is the first component to eaiforce access control policies of the access 
control system. It receives all incoming network trafiBc. The packet filter is rales 
based. Whenevw a iwdcet arrives on the external network interfece, flie filto- 
10 analyzes it and, if it is not part of an existing session the rules. Access Rules 820, arc 
consulted to determine what action to take. The rules are generated on a demand 
driven basis. Initially, there are no rules loaded into tiie filter. 

When a packet arrives for v^duch tfiere is no matehing rule the filter executes 
a diedc action and passes tiie packet up to the Access Control Daemon 840 for 
15 fintiier analysis. The Access Control Daemon performs the access check and installs 
an ^)propriate rule into the filter that covers the attempted action. The new rule may 
contain aDROP action if the trafBc is not allowed; it may contam a PASS action if 
the traffic is allowed; or it may contain a LOCAL action if the traffic is to be sent to 
alocal proxy. After the new rule is installed into tiic packet filter the padcet wiU 
20 returned to the filter for reevaluation. The fitter wffl then trigger tiie new rule 

causing the appropriate action to be taken. Once the new rule is in place, subsequoit 
access b^wera the same us^ and the service will trigger tins rule thus bypassing tiie 
Access Control Daemon. In the case ^lore the traffic is destmed for a local proxy 
the Access Control Daemon may not be able to determine the actual service being 
25 accessed. HTTP is an example vvhere the destination is embedded in the data 
stream. For tiiese cases, an additional access control test is performed in the data 
proxy. As can be SCOT from the architecture represented in FIG. 8, the Access 
Control Daemon relies on the ability to communicate with a registration server (not 
shown) and the active registry so as to be aware of those users and services which 
30 are active witiiin tiie network and also to access account records which indicate 
which access privileges a user or service may have. 
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FIG. 9 show a flow chart illustrating a process for access control in 
accordance with a method offte present invention. In this example the access 
control is operated on bdialfofa user seddng access to a service. The same process 
can be applied to a service provider or server seeking access to a \iser or to user 

S information. In this example, the gate receives an authentication request, step 900. 
The gate th« can execute an authentication proxy»stq) 901. Thisstq)of 
authentication determines whedier the user who seeks access to the network is one 
who has previously registered with the network and is a valid network user or 
sovice. The system determines \i4iether the user is authenticated in stq) 903. If it is 

10 not, then tiie connection is dropped, step 904. If the user is authenticated, then die 
user soids a service access request to the gate. The service access request is 
received in stq) 90S. The gate d^mnines whether a filter rule is available. As 
described above, a filter rule could already be preloaded in the packet filter. 
Altmiatively, the Access Control Daemon may have a rule available which could be 

IS loaded into the packet filter. Ifit is detemunedtiiat the gate does nothave a filter 
rule available for tiiis access request then a rule can be retrieved, step 907. This rule 
can be retrieved in accordance with access control privilege available in accounts 
records at the registration server taken in conjunction wifli active registry 
information available in the core. If the gate has an available filter rule, or it has 

20 retrieved such a rule, the gate applies the filter rule to the service access request, 
step 907 thereby eifiicr passing a request into the network or dropping tiie request. 

Various access control techniques can be employed in the gate taking 
advantage of specially designed proxies and the packet filter ^ch can act as a 
firewall. More specific exanq)Ies of such techniques are described in *^ystem and 

2S Mcfliod for Demand-Driven Loading of Rules m a FirewaU", "Higji Resoluticm 
Access Ckmtior, "System and Method for Distributed Access Control with a 
Centralized Database**, "Access Control for Applications with Dynamic 
Parameters", and "System and Method for Network Loading Balancing**. 

As described in the subsection "Supergate** below a modification to the gate 

30 architecture is envisioned in which the gate will have the cq)ability of not only 
determining i^etfaer to route a user into the network based on certain filtering rules 
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hot will also have the capability of routing a user along the periphery of the network 
wifliout unnecessarily tying \sp too much of the network's resources. 

Having described how the user can become registered wift the network and 
how its access control privileges can be set and utilized we turn our attention to 

S another network function which, in flie prior art, was assumed by end point servers, 
diis being usage recordation. In accordance with the present invention the store of 
FIG. 2 may incorporate a usage recording server. An example ofthis is shown in 
FIG. 1 0 of the preset application. A usage recording and retrieval subsystem 
provides usage generation, collection and storage and retrieval. This suteystem 

10 records usage-related events for purposes of billing, custom care and netwoik usage 
aiuilyses. The usage recording and retrieval subsystem includes Usage Daemon 
1010 and collects usage records fiom processes running on gates such as the Control 
Daemons, Cache Daemons, and the data Daemons. It also collects records from 
processes ruiming on service peers, throu^ a usage proxy 1012. Thissubsystm 

IS also retrieves usage records from a usage database 1040 for die service peer based on 
its request for users wanting to inspect their record. 

A usage record may have multiple fields. In one embodiment a usage record 
has die following fields: 
L ID of user's home cloud; 

20 2. ID ofthe gate ^ere the record was collected; 

3. time of event recording on die gate; 

4. record sequence number; 

5. record type name (session, content,...); 

6. record subtype, destination cloud ID, service ID; 
25 7. ID ofuser responsible for record graeration; 

8. unique ID of session during i^ch record was generated; 

9. time of usage event; and . 

10. even description-name/value pairs. 

Eadi usage record has a minimum lengdi, for example 76 bytes, phis the 
30 variable lengdi of field. Four types of usage records may be employed: session 
records, content records, intercloud records, and service generated records. Session 
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records are gloated by a gate' s control Daemon when a user of a service logs on, 
logs off, and for periodic heartbeats recorded during the session. Content records are 
generated by the gate's data proxies for HTTP, FTP, E-E-mail and oth« contmt 
protocol transfers. Intercloud records log IDs of destination clouds. Service 
5 Goierated records log the service IDS registered for usage recording. 

The gates collect all usage via the usage Daemon 1010 and die Usage Proxy 
1012. Again, FIG. 10 represents elooaents which may be contained in the gate 
altfaou^ these are not an exhaustive rqfnesentation of the elements whidi may be 
part of the gate. 

10 The Usage proxy 1012 inay be implemented in C-H- as a duired library. Tbe 

Usage Proxy accepts requests fiom Peer Usage libraries to either drop or retrieve 
usage records. The Usage Proxy communicates wi A a Peer over a Usage Retrieval 
Communications channel. It enforces access control on all operations, but it does 
not diedc the validity or correctness of usage records that it forwards to the Uss^e 

IS Daemon. 

Usage Daemon 1010 performs the woric of validating the correctness of 
usage records being dropped and interacts with the Usage Server process on the 
Usage Recording Server madiine 1060. It is controlled by the following four 
parameters: 

20 Max Push Interval Time - Tbe time interval after which a file of usage 

records is prepared, providing there is somedung to prepare. 

Dispatch Interval Time - The time interval to move the files containing the 
usage records to the directory monitored by the Usage Pusher. 

Polling Interval Time • The time interval for Us^e Daemon to wait in the 
25 pollmg queue for data to arrive from the various usage goierators. 

Usage File Watermark - the maximum size of the Usage File that can be 
created widiin Max Push Interval Time. 

Usage Pusher Daemon ( 1 030) - Keeps cheddng Ae directory on the gate 
receiving all usage records from the Usage Daemon and, when appropriate, flushes 
30 thCTi to Ae Reducer (10S5)m the Usage Recording Server. The data is encrypted 
via die standard Gate/Peer crypto system described below. 
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Usage Recording Server can reside in any Store. It depends on a relational 
database system such as Oracle, an HTTP server such as Apache, and a Reducer. 

Reducer lOSS receives the usage data from all the Usage Pusher programs in 
die gates. It fonnats and stores the usage records into the Usage Database. It 
S performs some data reduction depending on the type/subtype of the records. In 
particular, it performs matching of the usa'*s log on and log ofif records. 

Usage database 1040 accepts and stores the usage records processed by tiie 
reducer. It is organized by the type and subtype of the record. For each type/subtype 
of a record and for each service generating records there is a separate table in die 
10 database. This database organization facilitates implementation of selective usage 
record handling policies. The database also contains the data retrieval information 
identifying what services have access rights to the usage records. The access ri^ts 
are specified on a per-usage record type/subtype basis. In other words, for each 
type/subtype of die records the Usage Database contains explicit information about 
IS services that can request tfieir retrieval. 

HTTP ServCT 1070 and HTTP Wedge 1080 provide usage feedback to the 
user through a browso: inter&ce. The HTTP Wedge 1 080 provides callor ID 
verification to the CGI programs retrieving die user's usage data firom the Usage 
Database 1040. The ownership of the usage data is interpreted as follows: 
20 each user can view only their data; 

account administrators can view the usage data of all users associated with 
die account and die subaccounts; 

die sovice administrator can view all usage records graerated by the service. 
The fimctionality desoibed permits the network to assume the responsibility 
25 for various activities thai previously resided in the end points of the network. The 
network provides the necessary resources for sudi functionality as audientication, 
subscription, access control, usage recordation and billing thereby taking the burden 
ofif of die end points of the network and bringing that fimctionality widiin the 
secured boundaries of die network. As described earlier, this reduces die complexity 
30 and cost ofthe components necessary at the end points. Other fimctionality may also 
be provided in coimection with this network architecture. For example, the network 
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can provide for a general mediation of protocols. A network can easily manage and 
manipulate all standard protocols to add values as necessary. For exanq)le, the 
network can transparently support a distributed cac^architecmire tluai^ intelligently 
monitors and caches documents flowing over the web which uses standard protocols. 

5 This is but one example of protocol mediation vAiich could be obtained with the 
preset invention. In addition, the network architecture also provides for 
information integrity by fecilitating data stream IP layer racryption/deoyption 
between the gates and vscr or climt peers. This enoyption tedmique will be 
described below in connection widi Ae peer software under the subheading Peer 

10 Inter&ce. 

The network architecture set forth above tfaoefore provides a network with a 
secure boundary that incorporates within that boundary certain intelligence and 
certain common processes vfbich can be shared by a plurality of independent users 
and a plurality of indqiendent sovice provide. The architecture provides that a 
1 S user can access various network services using a single registration or audientication 
process. Once logged-ixi, the lietwork access controls take over, referring to accou^^ 
record information, to permit it access to multiple, independent services. 

Peer Interface 

20 The functionality of the peer mterface has been described above in ttte 

subsection regarding Network Ardiitecture. 

An exanqple of potential modules vAnch could form the basis of Ae peer 
architecture are illustrated together in FIG. 11 of the present application. Tliereitis 
shown diat there are network aware applicaticms as well as non-iietwork aware 

25 applications. The peer inter&ce itselfmcludes ISP modules, plication sqjport 
modules and other {application program interfaces. Furthermore, the peer inchides a 
socket redirector. The peer software can reside in a directory on ttie peer identified 
by the value of an environmrnt variable. This directory contains all executables, job 
of classes, applications, and property files used by the peer. Every application has its 

30 own directory in their TD/dtpps/ in which it can do whatever it wants. The bin/ 
directory contains the executables. The lid/ directory contains miscellaneous data 
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files. The classes/directory containsjob of class files. The lid^ars/ directory 
contams Java files for \ipdating and installatioiL The Ap.properties and 
iiser.properties are two important files found in the lid/ directory used for 
customizing tiie peer and configuring user preferences and fiir retaining the user's 

S identity. The app.properties file contains all peer, network and applications-specific 
properties. The user.propoties file contains whatevo- is necessary for a user to 
transport their idmtity to another peer madiine. 

From the moment that the peer attempts to connect to the n^ork, a siiigle 
control channel gets established between the peer and the Control Daemon on ttie 

10 gate. This control diannel is die tether that binds a peer to a particular cloud and 
maintains an active session with ttie cloud. 

The peer software resides on the end points that connect to the network. The 
software &cilitates making secure connections to the cloud and makes use of 
registration, audientication and other s^vices provided by tfie network. Tbe 

IS software may be run on such opiating systems as Microsoft windows ^95, 
Microsoft Windows NT4.0, Fun Solaris, SPARC, Linux i 86, and SGI IRK 
platforms. One of the integral components of the peer software is the redirector. 
The redirector module facilitates tiie capability of transparently encrypting all IP 
communication fiom the peer to Ae gate and vice-versa. The redirector makes use 

20 of platform dep»dait fecilities (Winsoc 2 on A^^2 and Streams on UNIX) to 
intercept IP commimication without requiring any dianges to ttie applications 
running on the platforuL Thus, existing i^lications such as Netscq>e Navigabnr, 
Internet Explorer, Internet information server, tnmsparently inhmt added 
security and privacy. 

25 FIG. 12 illustrates the working of the redirector componwt the decision 

module 1210 determines whedier encryption should be enabled for the givm socket 
connection. The encryption module 1220 performs encryption/decryption of the data 
that is transferred over the socket 

The peer uses a platform specific IPC mechanism such as shared memory to 

30 pass information to the redirector. This information includes: 1 . a global encryption 
flag that specifies the current state of encryption (on/off) between ttie pe^ and the 
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gate; 2. the encryption key that gets used to encrypt/decrypt the data; 3 . the looki^ 
table that helps redirector to decide \^ether to encrypt a given socket connection. 

Tlie pe^ can initialize the look vp table based on the config;uration specified 
by the user and a few default entries. Eadi entry in die table describes a set of hosts 

5 using "network address**, "netmask", and "port number**. The ratry also indicates 
whether die encryption should be enable for the hosts that match this description. 

This information may be protected in the peer by a ""single writer/multiple 
reader^ synchronization lock. Thus, only one writ^ can access the information at a 
time and cannot access it while it is being read. 

10 When an application tries to establish a socket connection, the redirector 

invokes the decision module. The decision module first looks at the global 
encryption flag. If Ais flag is "felse** (ofiO the encryption is not poformed. If this 
flag is ""true** (on), die decision module compares the IP address and the port number 
of the host on die other end of tiie connection with eadi entry in die lookup table. 

15 Theseardi ispoformed fix>m the top to the bottom and stops as soon as a matching 
entry is found in the table. The aicryption flag in this entry determines if that 
connection will be encrypted. The matching entry is not foimd in the \o6kxxp table, 
die de&uh is to encrypt the coxmection. litis de&uh can be changed by adding an 
entry at the bottom of the table that would produce a match for any IP/port 

20 combination. 

Hie flow charts at FIGS- 13 to 15 illustrate die flow of control in die 

redirector for various conditions. 

FIG. 13 shows flow of control in die redirector when an qq;)lication tries to 

establish a sock^ connection. After die information is locked so that it cannot be 
25 written while read, the socket redirector determines whether the encryption is on, 

step 1301. If not, then the lock is released and the connection can be completed. 

There will be no encryption in diat circumstance. It however, die global encryption 

flag is on, then the system determines whether the encryption table says that 

encryption in tiiis circumstance should be carried out If the answer is no, then 
30 again, the socket connection can be established without any encryption. It however, 

the encryption table indicates that for this particular connection encryption is 
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required then the redirector reads the session key, step 1304 and oeates an 
enwyption for the givoi socket, stq) 1305. The lock is then released and the 
connection is con^leted lisihg an encryption with a spedfic key for Aat particular 
sodcet Naturally, the peer may be utilizing different sockets for different 

5 connections, some of which may be encrypted using various session keys while 
others may not be encrypted. 

FIG. 14 provides a diagram that shows flow of control when an s^lication 
tries to SOTd data over the socket The application sends ttie data to the encryption 
module of the redirector. If the cncryptor for this sodcet is valid as detarmined in 

10 step 1402, then tiie data is enaypted, step 1403 and sent to the gate. If the enaryptor 
for the socket is not valid then there will be no encrypti<»i and die data can be sent 

without the encryption. 

FIG. 15 illustrates a circumstance ^ere an plication at a peer tries to 
receive data over the socket connection. The data is reed ved by the peer, step 1501 
15 and the peer redirector performs a real receive operation, step 1502. If the enCTj^ptor 
for the sock^ is valid as determined in step 1503 thra the received data is decrypted 

instep 1504 and control is returned to the i^li^^™"^ ^ 
howev^, the aicryptor is not valid then the control is returned to the application 
without decrypting die data. 
20 This encryption/decryption of die data stream IP layer between peers and 

gates provides information mtegrity. The encryption and decrj^on are handled 
differently on Ae peers than on the gates, however. Qnthegates 
encryptiOT/decryption is done in data proxies, not m the packet filter. On die peers 
the encryption/deoyptiOT is not done in die j^li^^*"^' ^ traiwport layer by 
25 the socket redirector as described above. With diis arrangement, all existing 
applications can safely communicate with the gate wifliout change. 

FIG. 16 provides a representation of how the data flows betweai a win 32 
peer plication and the gate. The flow is similar for a Solaris peer. 

The socket redirectors, both Win 32 and Solaris, do encryption using RC 4 
30 variable -key size stream cipher. They use the accesses Leay libraries RC 4 
implementation with a key length of 128 bits. Of these 88 bits may be exposed 
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during key negotiations to satisfy export requirem«its. The encryption process 
woiks by exclusive ORing the bytes of the plain text with a stream of randomly 
generated numbets. This key is generated during &e authentication process for this 
session and thrown away whra the user logs off. 

5 An example of a configuration in which the sender and receiver perform an 

enoyption/decryption process is illustrates in FIG- 17. Here it is shown that the 
sendCT and receivCT both inchide pseudo-number generators 1701 and 1702 receiving 
a shared secret key. The random numbw stream fiom Ae pseudo-numbw generator 
is ften interacted wiA the plain text stream in the soider to create an encrypted 

10 stream. Similarly, Ae pseudo-number genorator, influ«iced by the shared key, is 
used to decipher the text at the receiver. 

In summary, tfie peer software may consist of a plurality of software modules 
vAnch enable control of the communications between a user or server and Ae ingress 
or egress pomtsofthe network, that is, Ac gates. The modules operate so as to 

1 5 enable encryption for Ae communications betweai Ae peers and Ac gates wiAout 
affecting q>erations at Ac j^jplication program layer in Ae peer machines. In 
essence, Ae encryption tedmique is substantially invisible to Ae application 
program employed in the peer machines. 

20 Super Gates 

In Ae geaenA description of Ae network architecture provided above, one of 
Ae key conqjoncnts to providing a secure netwOTk boundary is Ae gate. Tliegate 
acts as an ingress/egress point for uscts or sarvice providers as Aey intaract wi A the 
network. One embodiment of a gate configuration utilizing various Daemon and 
25 proxies has bera described above. The gate plays an important role in access control 
and in usage monitoring. 

The gate would be inqiroved if it could inteUigmtly deal wi A situations 
y/hcre an active user desnes uiformation from an active service provider and Ae gate 
could intelligentiy decide wheAer to route Ae communications between Aese two 
30 end pomts eiAcr directly through Ae network or along a peripheral boundary of Ae 
network. This could be an important decision depending on Ae network resources 
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which mi^t be consunied in effecting flie infonnation transfo. For example, a 
given usCT may desire to have access to a service that makes available a video 
stream. Transmission of that video stream back to the user would «»isume a 
tremendous amount of bandwidth and if routed through the network itself would 
5 consume network resources. It would be beneficial therefore ifafter authenticating a 
user and identifying that they have access control privileges to a given service a gate 
were to route information between the us« and the client not directly ftrough Ae 

network but through external interfeces which may be better equipped to handle the 
bandwiddi requirements of the transfer or at a minimum may avoid overly burdening 
10 die network resources. 

The network architecture of the present mvcntion includes a modified gate 
structure which can be referred to m shorthand as a Distributed Network Element or 
si^ gate. An exanq>le of a si^ gate is illustrated in FIG. 18 of the present 
application. This super gate would include together with an ATM switch febric 
15 represented by the Network element 1801 and gate control capabilities, represented 
by the Network Node 1802. An ATM network interfece card for interfecmg die 
CPU of the gate and the ATM switch fabric. This interfile is shown as the Network 
Element Adqrtation Layer, 1802. The sapet gate would thus be connected to an 
ATM network via the ATM switch fiOwic. 
20 FIG. 19 illustrates an exanq;>le of a networic ardiitecture that incorporates die 

supergate distributed network element configuration. Two examples of such 
elements are more clearly delineated by elements 1901 and 1902 althougji each pair 
of a gate (eg., 1905a) and a switch (1905b) can be considered a supeigate. As is 
clear fiom die figure die secure trusted domain boundary can be considered to 

25 extend out to the switches (1901b, 1902b, etc.). 

The supergate structure and revised network architecture provide fi>r flow 
separation. Small volume flows requiring special handling and control tasks can be 
routed dnough die gate into the network. Large volume flows, on die otiier hand, are 
routed timnigh the switch controlled by die gate to die ATM network under control 

30 of die gate and can ultimately be routed to its destination eitiier along die perq)hay 
or external to die network itself An example of die separation of low and high 
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bandwidth communications is illustrated in FIG. 20. Again, the secure trusted 
Ixwidaiy extends to the switdi^ that make up the supeigates (e,g., 2001 and 2002). 
Chdytwo such structures arc^iown aitiioug^ the boimdary could be constituted 
completely by such siq)ergates. In this arrangement Ae gate portion of Ae 

5 distributed network element controls how the switch routes data after authorization 
or registration has occurred. In Ae illustrated example a first client peer 2030 may 
desire high bandwidA access to video server 20SO which is coupled to Ae network 
via siqiCT gate 2002. Clirat peer 2030 is coiq)led to Ae network at supergatc 2001. 
At Ae same time client peCT 2040, coiq>led to Ae same siqwgate 200 1 , may seek a 

10 low bandwidA communication to store 2035 which is also coiqiled to supergate 
2002. The n^ork node 1803 and network element adsjrtation layer 1802 control 
the network elwnent so as to n>ute Ae high bandwidA commuriications between 
siq)ergates 2001 and 2002 for example along a paA external to Ae netwoik such as 
via Internet 2010. The network node 1803 and network element adaptation layer 

15 1 802 control Ae network element so as to route Ae low bandwidA conmiimications 
between Ae supcrgates 2001 and 2002 through Ae secure network via Ae 
connection rqiresoited by paA via 2020. 

This architecture provides Ae advantage of allowing higji volume flows to 
cut Arough an ATM switch controlled by Ae gate while still sending important low 

20 volume flows througihAe gate's protocol stack. 

no. 21 iUustrates a video streaining trafBc paA using Ae architecture 

illustrated in FIG. 19 and Ae si5)ergates of FIG. 18. In Ais arrangement Ae video 
stream tnivcrscs Ae secured network between Ae gates of supergates 2101 and 2102 

to achieve Ae desired secure data communication. The topology of Ae network 
25 showninFIG. 1 9 may easily be altered to allow Ae support of diflfermt traffic 
patterns. For exan^)le, Ae ratio of total low-volume tiafBc (processed by full 
.{notocol stack at Ae gate) to high-volume cut through trafBc may determine Ae 
number of ports used for gate-switch conununication. Also, Ae full connectivity 
matrix may be replaced by a more sparse one ^ch will reduce Ae cost and still 
30 maintain easy paA to future upgrades. The number of gates, Ae gate capacity and 
cloud capacity can easily be incremented by adding more switch ports. The 
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existence of altonative paths also improves reliability and reduces call blocking 
probability. This distributed network elements architecture may be easily distributed 
to a distributed core architecture if the core is expected to become the bottleneck. 
The feet that the distributed core lies within a trusted domain may remove any 

S in9)lementation detail related to security. 

The gate of die distributed network element or supergate can execute control 
of the associated ATM switdi using the General Switch Management Protocol 
(GSMP). GSMP allows the following: establi^iing and releasing connection across 
the switch; adding and deleting leaves on a point to multi-point connection; 

10 TTianftging switdi poTts; requesting configuration information ad statistics. 

Command line and web-based tools are developed that allows the user to set up rules 
at die IP-address port level and needed to define the quality of service or do 
security/fihmng y dropping packets. 

This arrangem^ of the super gate or distributed network element therefore 

1 5 provides an improvement in trafBc flow whereby high volume trafiBc does not 

necessarily negatively impact the operation of the gate mechanisms thereby causing 
a choke point for other information that must be provided to the network. 

20 The network architecture of die present {plication provides far reducing the 

cost and complexity of die end points by incorporating certain fimctionality within a 
secured network boundary. FurthCToaore, access to the nctwodc is governed by 
software control modules which can be loaded on end points and effect the transfer 
of secure information widiout adversely impacting upon the iqpplication programs 

25 running on the end user. Also, a gate architecture for the ingress and egress points 
for the secure boundary of the network provides flexibility by combining certain gate 
funcdonality along with control over switch so as to bifiircate the treatment of low 
volume and high volume data flows. 
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WHAT IS CLAIMED IS: 

11. A mettiod for fadlhating^coiimMMcatiOTS+e^ a plimility of users and a 

2 plxirality of independent service providers, the method comprising the steps of: 

3 receiving a registration request from a first user; 

4 receiving a request from the first user to subscribe to a first service provided 

5 by a first one oftbe plurality of service providers; 

6 storing account information identifying the first user and access privileges 

7 vii&i regard to said first service; 

8 receiving a registration request from a second user, 

9 receiving a request from the second usCT to subscribe to a second savice 

1 0 provided by a second one of the plurality of service providers; and 

1 1 storing accoimt information identifying the second user and access privileges 

12 with regard to said second service. 

1 2. Ihe method of claim 1 comprising the fiurther steps of: 

2 receiving a service access request from the first user, 

3 determining whefliCT the first user has access privileges to the service that 

4 correqMmds to the service request, said step of determining being performed in 

5 relation to account information associated widi the first user. 

1 3. The method of claim 1 comprising the fiirttier steps of: 

2 receiving a request from the first user to subscribe to a third service provided 

3 by a third one offlie plurality ofscrvice providers; and 

4 storing account infi)nnation identifying the first usct and access privileges 

5 with regard to said third service. 

1 4. The method of claim 3 comprising the fiirther steps of: 

2 receiving a service access request fix)m die first user, 

3 determining >^ether Ae first usct has access privileges to the service diat 

4 corresponds to the service request, said step of determining being performed in 
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S relation to account information associated with first user. 

1 5. A method for contn)lling user access to services via a network, th^ 

2 comprising die steps of. 

3 registering a plurality of services from a plurality of independent service 

4 providers; 

5 storing account records identifying registered services and users permitted 

6 access to the registered services; 

7 receiving a registration request from a first user; 

8 authenticating said first user, 

9 receiving a service access request fiom the first user, and 

10 detmniningv^iether to connect &e first user to the service associated witti 

11 the service access request wherein a decision in said step of determining depends on 

12 information in Ae stored account records, 

1 6. Hie me&odofclaim 5 wherein said decision is based on aii access filter rule 

2 created with reference to the stored account records. 

1 7. The method of claim 6 comprising the fiirther steps of: 

2 after authenticating said first user, updating an active registry to reflect that 

3 said first user is active. 

1 8. Tlie method ofclaimS comprising the fiirther steps of: 

2 connecting the first user to the registered service; and 

3 monitoring user usage of the requested service; and 

4 generating usage information based on the results of the step of monitoring. 

1 9. The method of claim 8 comprising the fiirther steps of: 

2 audioiticating a second user, 

3 receiving a service access request fitnn the second user, and 

4 determining, depending on information in the stored accounts records. 
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5 whether to connect the second user to the service associated with the service access 

6 request received from the second iiser, 

7 v^*eiCTi tfie service providCToftheser^ce requested by theses 

8 independent of the service provider of the service requested by the first user. 

110. The method of claun 9 comprising Ac fiirth^ steps of: 

2 connectingthefirstusertotheservicerequestedby the first user; 

3 connecting the second user to the service requested by the second user, 

4 monitoring usage by the first user of the service requested by ttie first us^, 

5 and 

6 moiiitf^ing usage by the second user of the service requested by &e second 

7 user, 

1 11. A conununication system for interfacing a plurality of independent users and 

2 a phirality of independent service savers, the system comprising: 

3 a first peer inter&ce associated with a first one of the users; 

4 a first gate, coupled to said first peer int^face, the gate including an access 

5 control filter Aat executes access control rules relating to said first one of the users; 

6 a second peer inter&ce associated with a first one of Ae servers; 

7 a second gate coiqpled to said second peer intorfiice; and 

8 a network core coupled to said first gate and said second gate, Mdioein said 

9 core includes an auftentication subsystem that creates information for the access 
10 control rules. 

1 12. A mettiod for controlling communications between a user and a service 

2 provider, the method comprising the stq)S of. 

3 receiving, from a first user, an authentication request at a first gate; 

4 authenticating said first user using said authentication request; 

5 establishing an encryption protocol between the first user and said first gate; 

6 receiving, from the first user, an mcrypted service access request at 

7 said first gate; 
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8 decrypting said encrypted service access request; 

9 determining wfaeth^ said first user is auttiorized to access the service 

10 identified in the service access request, and if said first user is so authorized; 

1 1 sending service related information across a network to a second gate, 

12 encrypting the s^ce related information at the second gate, and 

13 sending the encrypted service related information to a server. 

1 13. The mediod of claim 12 wherein communications between the first user and 

2 said first gate employ a first encryption key and conununications between the second 

3 gate and tiie server enq>loy a second encryption key. 

1 14. Themethodofclaim 12 wherein said step of authmticating said first iiser 

2 comprises verifying that stored account records reflect that the first user is a network 

3 subsmber service. 

1 15- The method of claim 14 wherein said step of determining whether said first 

2 user is authorized to access the service includes the step of examining stored account 

3 records reflecting said first user's service access privileges. 
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